netfilter: push reasm skb through instead of original frag skbs

typedef unsigned char *sk_buff_data_t;

typedef unsigned char *sk_buff_data_t;

#endif

#endif

#if defined(CONFIG_NF_DEFRAG_IPV4) || defined(CONFIG_NF_DEFRAG_IPV4_MODULE) || \

    defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE)

#define NET_SKBUFF_NF_DEFRAG_NEEDED 1

#endif

/** 

/** 

 *	struct sk_buff - socket buffer

 *	struct sk_buff - socket buffer

 *	@next: Next buffer in list

 *	@next: Next buffer in list

 *	@protocol: Packet protocol from driver

 *	@protocol: Packet protocol from driver

 *	@destructor: Destruct function

 *	@destructor: Destruct function

 *	@nfct: Associated connection, if any

 *	@nfct: Associated connection, if any

 *	@nfct_reasm: netfilter conntrack re-assembly pointer

 *	@nf_bridge: Saved data about a bridged frame - see br_netfilter.c

 *	@nf_bridge: Saved data about a bridged frame - see br_netfilter.c

 *	@skb_iif: ifindex of device we arrived on

 *	@skb_iif: ifindex of device we arrived on

 *	@tc_index: Traffic control index

 *	@tc_index: Traffic control index

#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

	struct nf_conntrack	*nfct;

	struct nf_conntrack	*nfct;

#endif

#endif

#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED

	struct sk_buff		*nfct_reasm;

#endif

#ifdef CONFIG_BRIDGE_NETFILTER

#ifdef CONFIG_BRIDGE_NETFILTER

	struct nf_bridge_info	*nf_bridge;

	struct nf_bridge_info	*nf_bridge;

#endif

#endif

		atomic_inc(&nfct->use);

		atomic_inc(&nfct->use);

}

}

#endif

#endif

#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED

static inline void nf_conntrack_get_reasm(struct sk_buff *skb)

{

	if (skb)

		atomic_inc(&skb->users);

}

static inline void nf_conntrack_put_reasm(struct sk_buff *skb)

{

	if (skb)

		kfree_skb(skb);

}

#endif

#ifdef CONFIG_BRIDGE_NETFILTER

#ifdef CONFIG_BRIDGE_NETFILTER

static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge)

static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge)

{

{

	nf_conntrack_put(skb->nfct);

	nf_conntrack_put(skb->nfct);

	skb->nfct = NULL;

	skb->nfct = NULL;

#endif

#endif

#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED

	nf_conntrack_put_reasm(skb->nfct_reasm);

	skb->nfct_reasm = NULL;

#endif

#ifdef CONFIG_BRIDGE_NETFILTER

#ifdef CONFIG_BRIDGE_NETFILTER

	nf_bridge_put(skb->nf_bridge);

	nf_bridge_put(skb->nf_bridge);

	skb->nf_bridge = NULL;

	skb->nf_bridge = NULL;

	nf_conntrack_get(src->nfct);

	nf_conntrack_get(src->nfct);

	dst->nfctinfo = src->nfctinfo;

	dst->nfctinfo = src->nfctinfo;

#endif

#endif

#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED

	dst->nfct_reasm = src->nfct_reasm;

	nf_conntrack_get_reasm(src->nfct_reasm);

#endif

#ifdef CONFIG_BRIDGE_NETFILTER

#ifdef CONFIG_BRIDGE_NETFILTER

	dst->nf_bridge  = src->nf_bridge;

	dst->nf_bridge  = src->nf_bridge;

	nf_bridge_get(src->nf_bridge);

	nf_bridge_get(src->nf_bridge);

#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

	nf_conntrack_put(dst->nfct);

	nf_conntrack_put(dst->nfct);

#endif

#endif

#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED

	nf_conntrack_put_reasm(dst->nfct_reasm);

#endif

#ifdef CONFIG_BRIDGE_NETFILTER

#ifdef CONFIG_BRIDGE_NETFILTER

	nf_bridge_put(dst->nf_bridge);

	nf_bridge_put(dst->nf_bridge);

#endif

#endif

struct ip_vs_iphdr {

struct ip_vs_iphdr {

	__u32 len;	/* IPv4 simply where L4 starts

	__u32 len;	/* IPv4 simply where L4 starts

			   IPv6 where L4 Transport Header starts */

			   IPv6 where L4 Transport Header starts */

	__u32 thoff_reasm; /* Transport Header Offset in nfct_reasm skb */

	__u16 fragoffs; /* IPv6 fragment offset, 0 if first frag (or not frag)*/

	__u16 fragoffs; /* IPv6 fragment offset, 0 if first frag (or not frag)*/

	__s16 protocol;

	__s16 protocol;

	__s32 flags;

	__s32 flags;

	union nf_inet_addr daddr;

	union nf_inet_addr daddr;

};

};

/* Dependency to module: nf_defrag_ipv6 */

#if defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE)

static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb)

{

	return skb->nfct_reasm;

}

static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset,

				      int len, void *buffer,

				      const struct ip_vs_iphdr *ipvsh)

{

	if (unlikely(ipvsh->fragoffs && skb_nfct_reasm(skb)))

		return skb_header_pointer(skb_nfct_reasm(skb),

					  ipvsh->thoff_reasm, len, buffer);

	return skb_header_pointer(skb, offset, len, buffer);

}

#else

static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb)

{

	return NULL;

}

static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset,

static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset,

				      int len, void *buffer,

				      int len, void *buffer,

				      const struct ip_vs_iphdr *ipvsh)

				      const struct ip_vs_iphdr *ipvsh)

{

{

	return skb_header_pointer(skb, offset, len, buffer);

	return skb_header_pointer(skb, offset, len, buffer);

}

}

#endif

static inline void

static inline void

ip_vs_fill_ip4hdr(const void *nh, struct ip_vs_iphdr *iphdr)

ip_vs_fill_ip4hdr(const void *nh, struct ip_vs_iphdr *iphdr)

			(struct ipv6hdr *)skb_network_header(skb);

			(struct ipv6hdr *)skb_network_header(skb);

		iphdr->saddr.in6 = iph->saddr;

		iphdr->saddr.in6 = iph->saddr;

		iphdr->daddr.in6 = iph->daddr;

		iphdr->daddr.in6 = iph->daddr;

		/* ipv6_find_hdr() updates len, flags, thoff_reasm */

		/* ipv6_find_hdr() updates len, flags */

		iphdr->thoff_reasm = 0;

		iphdr->len	 = 0;

		iphdr->len	 = 0;

		iphdr->flags	 = 0;

		iphdr->flags	 = 0;

		iphdr->protocol  = ipv6_find_hdr(skb, &iphdr->len, -1,

		iphdr->protocol  = ipv6_find_hdr(skb, &iphdr->len, -1,

						 &iphdr->fragoffs,

						 &iphdr->fragoffs,

						 &iphdr->flags);

						 &iphdr->flags);

		/* get proto from re-assembled packet and it's offset */

		if (skb_nfct_reasm(skb))

			iphdr->protocol = ipv6_find_hdr(skb_nfct_reasm(skb),

							&iphdr->thoff_reasm,

							-1, NULL, NULL);

	} else

	} else

#endif

#endif

	{

	{

int nf_ct_frag6_init(void);

int nf_ct_frag6_init(void);

void nf_ct_frag6_cleanup(void);

void nf_ct_frag6_cleanup(void);

struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user);

struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user);

void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,

void nf_ct_frag6_consume_orig(struct sk_buff *skb);

			struct net_device *in, struct net_device *out,

			int (*okfn)(struct sk_buff *));

struct inet_frags_ctl;

struct inet_frags_ctl;

#if IS_ENABLED(CONFIG_NF_CONNTRACK)

#if IS_ENABLED(CONFIG_NF_CONNTRACK)

	nf_conntrack_put(skb->nfct);

	nf_conntrack_put(skb->nfct);

#endif

#endif

#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED

	nf_conntrack_put_reasm(skb->nfct_reasm);

#endif

#ifdef CONFIG_BRIDGE_NETFILTER

#ifdef CONFIG_BRIDGE_NETFILTER

	nf_bridge_put(skb->nf_bridge);

	nf_bridge_put(skb->nf_bridge);

#endif

#endif

	return nf_conntrack_confirm(skb);

	return nf_conntrack_confirm(skb);

}

}

static unsigned int __ipv6_conntrack_in(struct net *net,

					unsigned int hooknum,

					struct sk_buff *skb,

					const struct net_device *in,

					const struct net_device *out,

					int (*okfn)(struct sk_buff *))

{

	struct sk_buff *reasm = skb->nfct_reasm;

	const struct nf_conn_help *help;

	struct nf_conn *ct;

	enum ip_conntrack_info ctinfo;

	/* This packet is fragmented and has reassembled packet. */

	if (reasm) {

		/* Reassembled packet isn't parsed yet ? */

		if (!reasm->nfct) {

			unsigned int ret;

			ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm);

			if (ret != NF_ACCEPT)

				return ret;

		}

		/* Conntrack helpers need the entire reassembled packet in the

		 * POST_ROUTING hook. In case of unconfirmed connections NAT

		 * might reassign a helper, so the entire packet is also

		 * required.

		 */

		ct = nf_ct_get(reasm, &ctinfo);

		if (ct != NULL && !nf_ct_is_untracked(ct)) {

			help = nfct_help(ct);

			if ((help && help->helper) || !nf_ct_is_confirmed(ct)) {

				nf_conntrack_get_reasm(reasm);

				NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,

					       (struct net_device *)in,

					       (struct net_device *)out,

					       okfn, NF_IP6_PRI_CONNTRACK + 1);

				return NF_DROP_ERR(-ECANCELED);

			}

		}

		nf_conntrack_get(reasm->nfct);

		skb->nfct = reasm->nfct;

		skb->nfctinfo = reasm->nfctinfo;

		return NF_ACCEPT;

	}

	return nf_conntrack_in(net, PF_INET6, hooknum, skb);

}

static unsigned int ipv6_conntrack_in(const struct nf_hook_ops *ops,

static unsigned int ipv6_conntrack_in(const struct nf_hook_ops *ops,

				      struct sk_buff *skb,

				      struct sk_buff *skb,

				      const struct net_device *in,

				      const struct net_device *in,

				      const struct net_device *out,

				      const struct net_device *out,

				      int (*okfn)(struct sk_buff *))

				      int (*okfn)(struct sk_buff *))

{

{

	return __ipv6_conntrack_in(dev_net(in), ops->hooknum, skb, in, out,

	return nf_conntrack_in(dev_net(in), PF_INET6, ops->hooknum, skb);

				   okfn);

}

}

static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,

static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,

		net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");

		net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");

		return NF_ACCEPT;

		return NF_ACCEPT;

	}

	}

	return __ipv6_conntrack_in(dev_net(out), ops->hooknum, skb, in, out,

	return nf_conntrack_in(dev_net(out), PF_INET6, ops->hooknum, skb);

				   okfn);

}

}

static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {

static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {